Two Users Hit by Malware Attack

Wednesday, July 28, 2010 @ 05:07 PM gHale

Less than two weeks after malware attack of Siemens’ Simatic WinCC and PCS 7, two German end users were able to detect the malware virus and were able to remove it with no damage to their plants.
Siemens released a tool last week that can to detect and remove the virus and so far more than 3,000 users have downloaded the virus scanner to date. It is available to download at Siemens. In addition to the downloads, just about 50 end users have contacted us on the hotline to get general information, said Michael Krampe, director of media relations at Siemens Industry Inc.
The company is continuing its investigation into the origination of the virus, Krampe said.
It seems the software/malware had code that could detect Siemens WinCC and PCS7 programs and their data, Krampe said.
Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface, Krampe said.
Normally every plant operator ensures, as part of the security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible, Krampe said. Additional protective devices like firewalls and virus scanners can also prevent Trojans/viruses from infiltrating the plant.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
Siemens has now established through its own tests the software is capable of sending process and production data via the Internet connection it tries to establish. However, tests revealed this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
Three virus scan programs from Trend Micro, McAfee and Symantec can detect the Trojan.
The objective of the malware appears to be industrial espionage in an effort to steal intellectual property from SCADA and process control systems, said Eric Byres, chief technology officer at Byres Security. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
Microsoft has issued a security advisory which, it says, affects all versions of the Windows operating system, including Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.